[Tutorial] Port Based VLANs (Separated / Internet Only)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
Eric G.
DD-WRT Novice


Joined: 19 Sep 2011
Posts: 4

PostPosted: Mon Sep 19, 2011 3:29    Post subject: [Tutorial] Port Based VLANs (Separated / Internet Only) Reply with quote
Last Tutorial Update: Sept 24, 2011
Note 1: I have not tested communication between the port based VLANs and any wirelessly connected clients. Additional work may need to be done to block communication with the wireless interface (unless of course you simply turn it off or use it in Client Mode).
Note 2: According to phuzi0n, the Firewall settings used to block communication between VLANs may not work on certain builds of DD-WRT. I have successfully tested the Firewall settings on v24 preSP2 build 13064 and build 14929, but cannot confirm or deny their validity on other builds.


Introduction
I have found that the wiki article titled "VLAN Detached Networks (Separate Networks With Internet)" does not actually prevent the VLANs it creates from communicating with each other. On top of that, it is out of date and therefore contains some steps that are no longer applicable and/or necessary. As such, I have written my own tutorial.

The goal of this tutorial is to configure a router to connect computers to the Internet while ensuring that they do not see any other computers on the LAN. Each physical port on the back of the router is placed into its own VLAN (Virtual Local Area Network). Firewall rules are then added to the router to prevent communication between VLANs and the rest of the LAN.

Tutorial Versions
There are two different versions of this tutorial available. Click on a version number to download a Word document of the tutorial.
  • Version 1: Port Based VLANs (Generic)
      This is the version that is found in the body of this post. It is a generic tutorial which can be applied to a router no matter what method it uses to connect to the Internet. Due to some potential variables however, you may need to slightly tweak configuration settings depending upon your goal.
        Note: Link no longer available as the hosting service I was using (Megaupload) has been shutdown. I did not have a local copy and was therefore unable to reupload it.

  • Version 2: Client Mode Wireless with Segregated Port Based VLANs
      The second version starts by describing how to configure Client Mode wireless for the purpose of gaining Internet access. It then describes how to properly configure port based VLANs for this very specific scenario. If you wish to use Client Mode wireless then please read the Introduction section on this page first: http://www.dd-wrt.com/wiki/index.php/Client_Mode.
------------------------------------------------------------------------------------------------------------------------------------------------


Instructions
The following instructions were written specifically for DD-WRT v24 preSP2 running on the WRT54GS 1.0, but they should work fine on any router that supports VLANs.
  1. Preparation (OPTIONAL)
    • Reset router to Factory Default settings.
      • Reset either by using the web interface or by doing a 30-30-30 Hard Reset.
      • Go to http://192.168.1.1/ in your web browser and set the Username and Password.
    • Configure Internet access as necessary.
    • Go to Setup -> Basic Setup.
      • Set the "Router Name" to whatever you desire.
      • Set the "Time Settings" appropriately.
      • Click Save, then Apply Settings.
    • Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
    • Ensure that Internet access is working properly.
  2. VLAN configuration of ports 1, 2, and 3.
    • Go to http://192.168.1.1/ in your web browser.
    • Go to Setup -> VLANs.
    • Plug your Ethernet cable into port 4 on the router if it is not already there.
    • Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
    • Go to Setup -> Networking.
      • NOTE: Do not set the following IP addresses to any subnets that already exist. In the 192.168.x.x address range, the third octet (the first "x") designates the subnet. In this tutorial, I'll assume that you are only using the 192.168.1.x subnet up to this point.
      • Under "Port Setup" set VLAN2 to Unbridged.
        • Set the IP Address to 192.168.2.1
        • Set the Subnet Mask to 255.555.255.0
      • Under "Port Setup" set VLAN3 to Unbridged.
        • Set the IP Address to 192.168.3.1
        • Set the Subnet Mask to 255.555.255.0
      • Under "Port Setup" set VLAN4 to Unbridged.
        • Set the IP Address to 192.168.4.1
        • Set the Subnet Mask to 255.555.255.0
      • Click Save.
      • The "Port Setup" section should look like this.
      • Under DHCPD click Add.
        • Set DHCP 0 to vlan2 with a Leasetime of 1440 (24 hours).
        • Click Save.
      • Under DHCPD click Add.
        • Set DHCP 1 to vlan3 with a Leasetime of 1440 (24 hours).
        • Click Save.
      • Under DHCPD click Add.
        • Set DHCP 2 to vlan4 with a Leasetime of 1440 (24 hours).
        • Click Save.
      • Click Apply Settings.
      • The DHCPD section should look like this.
    • Plug your Ethernet cable into any port on the router aside from port 4 or the WAN port.
    • Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
  3. VLAN configuration of port 4.
    • Go to http://192.168.1.1/ in your web browser.
    • Go to Setup -> VLANs.
      • Uncheck port 4 and place it into VLAN5.
      • Click Save, then Apply Settings.
    • Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
    • Go to Setup -> Networking.
      • Under "Port Setup" set VLAN5 to Unbridged.
        • Set the IP Address to 192.168.5.1
        • Set the Subnet Mask to 255.555.255.0
      • Click Save.
      • Under DHCPD click Add.
        • Set DHCP 3 to vlan5 with a Leasetime of 1440 (24 hours).
        • Click Save, then Apply Settings.
  4. Add Firewall rules to isolate the VLANs.
    • Go to Administration -> Commands.
      • Copy and paste the following commands into the textbox:
          iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
          iptables -I FORWARD -i vlan+ -o vlan1 -j ACCEPT
          iptables -I FORWARD -i vlan1 -o vlan+ -j ACCEPT
      • Click "Save Firewall".
      • Command 1 Notes
        • This command blocks communication between all VLANs.
      • Commands 2 and 3 Notes
        • These commands allow all VLANs to communicate with VLAN1. VLAN1 contains the WAN port making communication with it necessary for Internet access (under most Internet access configurations). Please note that these commands may not do the trick, as I was unable to test them due to my Verizon FiOS setup.
      • Additional Commands Notes
        • This command blocks all communications with the 192.168.6.x subnet. This command should be alerted and/or duplicated to block each subnet used by any additional routers on your LAN.
            iptables -I FORWARD -s 192.168.6.0/255.255.255.0 -j DROP
  5. Finalize Settings
    • Go to Setup -> Basic Setup.
      • Click Save, then Apply Settings.
    • Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.

Thanks to phuzi0n for pointing out a couple of flaws with the original tutorial. Enjoy!
_________________
Eric G.
RightClick Computers


Last edited by Eric G. on Fri Jan 20, 2012 3:03; edited 14 times in total
Sponsor
MrFidget
DD-WRT User


Joined: 15 Jul 2010
Posts: 373

PostPosted: Thu Sep 22, 2011 22:00    Post subject: Reply with quote
Thank you very much Very Happy

Can someone please give this person a login to the wiki Exclamation

Cheers
Chris
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Fri Sep 23, 2011 21:20    Post subject: Reply with quote
New account creation on the wiki was disabled and I'm not sure what the company's plans are with it...

I've been delaying to write more VLAN guides myself until there is better universal VLAN support across the range of Broadcom switches. It is just now getting to a point where I think there's functionality for it on most Broadcom hardware in builds higher than ~16800 but there's still not a beta build I would recommend for general use.

I was considering posting your guide to the wiki and appreciate all the time you put into writing it, but I believe there's many flaws with it. Build 13064 should never be used (read link in my sig), the client mode settings don't really belong in a VLAN guide, the nvram settings shouldn't be touched when you're using a build/hardware combination that has a functional VLAN GUI page, if the VLAN GUI doesn't work on your model then the switched port wiki page explains the nvram variables, and I'm pretty sure that "+" in iptables rules doesn't work on all builds.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Eric G.
DD-WRT Novice


Joined: 19 Sep 2011
Posts: 4

PostPosted: Sat Sep 24, 2011 19:59    Post subject: Reply with quote
Thanks for the feedback, phuzi0n. I wasn't aware that the Router Database was flawed, which is why I was using Build 13064.

Do you think it would be worthwhile for me to address the issues you listed in my tutorial? The only issue I wouldn't know how to address would be replacing the "+" wildcard symbol I used in the iptables commands. Also, out of curiosity, what problems can arise if you touch the nvram vlan settings and then change the VLAN page? Thanks.

EDIT: I've addressed all of the issues you've brought up aside from the "+" wildcard one. Please let me know if there are any ways to fix this. Also, if you would like to add this tutorial to the wiki, but need to change something in the wiki version, then by all means, be my guest.

_________________
Eric G.
RightClick Computers
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Wed Sep 28, 2011 22:04    Post subject: Reply with quote
If you set the nvram variables incorrectly then you can lock up the router and have to hard reset it. Different hardware requires different nvram variables and I've explained most everything I know about the variables on the switched ports page but they should only be used as a last resort.

The guide looks good enough now that I added it to the detached networks guide but I didn't wiki format it at all.

http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_%28Separate_Networks_With_Internet%29#New_Instructions

The solution to the possible wildcard problem is to just expand it into multiple rules for each of the possible interfaces. Since I'm not even entirely sure that the problem exists anyways, I wouldn't worry about it unless someone runs into trouble with it.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Lery
DD-WRT Novice


Joined: 11 Jan 2012
Posts: 2

PostPosted: Wed Jan 11, 2012 2:38    Post subject: Reply with quote
Hello. I have gone through the steps shown. Everything seems to be working great. I just have a question about Step 3:

Quote:
VLAN configuration of port 4.
Go to http://192.168.1.1/ in your web browser.
Go to Setup -> VLANs.
Uncheck port 4 and place it into VLAN5.
Click Save, then Apply Settings.
Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
Go to Setup -> Networking.
Under "Port Setup" set VLAN5 to Unbridged.
Set the IP Address to 192.168.5.1
Set the Subnet Mask to 255.555.255.0
Click Save.
Under DHCPD click Add.
Set DHCP 3 to vlan5 with a Leasetime of 1440 (24 hours).
Click Save, then Apply Settings


I am messing around with this in my lab, so right now Internet access is off. My server has two NIC cards. Therefore, I was assuming that I would have two VLAN's. Each VLAN has its own subnet.

Is Step 3 necessary? It has me uncheck port 4 (currently assigned to VLAN 0 as per the image linked in step 2 http://i.imgur.com/MEzdz.png
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Tue Jan 17, 2012 19:14    Post subject: Reply with quote
Lery wrote:
Is Step 3 necessary? It has me uncheck port 4 (currently assigned to VLAN 0 as per the image linked in step 2 http://i.imgur.com/MEzdz.png

Most all of it is optional. It all depends on how you want your ports configured. You can put ports in whichever VLAN you want.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Eric G.
DD-WRT Novice


Joined: 19 Sep 2011
Posts: 4

PostPosted: Thu Jan 19, 2012 4:54    Post subject: Reply with quote
If I remember correctly, I wrote Step 3 that way simply because I feared that VLAN0 might have special rules applied to it. It is the default VLAN, after all. That said, this step is most likely unnecessary. If you do decide to leave a port in VLAN0, however, you may need to change the assigned bridge to "None" on the Setup -> VLANs page.

_________________
Eric G.
RightClick Computers
SpadaSpud
DD-WRT Novice


Joined: 06 Nov 2011
Posts: 5

PostPosted: Fri Mar 30, 2012 7:01    Post subject: Reply with quote
Hi Eric,

I see that you wrote the guide thats in the tutorial. I have tried your guide on thow different routers wrt54gl v1.0 and a E3000. I had a different build but again tried with the 14929 as you said works.

No matter what I try nothing works as it should. Actually this build is even worse that the previous one of 15962. This time with build 14929 I get no IPs but the primary ip range and the ips setup in the DHCP0/1/2 are never seen.

The build 15962 atleast gives the ip range out but I cant get out on the web with a browser.

Maybe you can help as no one else even want to comment. I have a thread here.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=146658
sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Fri Apr 13, 2012 13:31    Post subject: Reply with quote
I am trying to determine if this port-based vlaning is supported on the X86 builds. The wiki does not say if it does or does not although I read somewhere that this is a broadcom only thing.

Will this work on the X86?

So far when I do the nvram show stuff I can see the ports in vlan0 & vlan1. I've moved everything from in vlan0 to vlan2 for compatibility sake according to a wiki entry.

My problem is that
1/ the x86 builds have no vlan tab.
2/ although using nvram show I can see what must be the default vlans when you install, when I go into setup->networking I cannot see any references to the vlan interfaces. I only see the network interfaces I have installed such as eth0...ethx.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Apr 16, 2012 0:28    Post subject: Reply with quote
On x86 you typically don't have any switch but rather several nics that each have an "eth" interface. You can use the "VLAN Tagging" section on the Networking page to tag different VID's to each nic which will create interfaces like "eth1.10" where 10 is the VID and eth1 is the main interface. You can then bridge those tagged interfaces however you like.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Thu Apr 19, 2012 21:16    Post subject: Reply with quote
phuzi0n wrote:
On x86 you typically don't have any switch but rather several nics that each have an "eth" interface. You can use the "VLAN Tagging" section on the Networking page to tag different VID's to each nic which will create interfaces like "eth1.10" where 10 is the VID and eth1 is the main interface. You can then bridge those tagged interfaces however you like.


Thank you, this has helped.
terran
DD-WRT Novice


Joined: 30 Oct 2012
Posts: 1

PostPosted: Tue Oct 30, 2012 11:29    Post subject: Reply with quote
Hi there,
First, thanks for the great manual.

I have one problem, i made all steps but i can't get recieved IP from each VLAN. If i plug in cable on portx i don't recieved IP. what more steps i need to do?

The pc OS is windows7.

Thanks for help.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Tue Nov 13, 2012 20:40    Post subject: Reply with quote
Make sure you have your Multiple DHCP Server settings correct on the Networking page and that the DHCP Server is enabled in the Basic settings.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
StevenDR
DD-WRT Novice


Joined: 07 Dec 2012
Posts: 14

PostPosted: Thu Dec 13, 2012 8:03    Post subject: DIR-825 Reply with quote
My D-Link DIR-825 does not have the VLAN tab either. Should I follow the X86 instructions as well?

Edit: I would only want to accomplish a second WAN port (not for DUAL WAN, but for attaching my Setup box and getting it to receive an IP from my ISP as well). This worked on my old US Robotics, but I replaced that one for performance sake.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum